I Just Got a Letter from OCR — What Do I Do?

You opened an envelope from the U.S. Department of Health and Human Services, Office for Civil Rights. Your stomach dropped. If you are reading this article, you are probably holding that letter right now — or you just set it down. Take a breath. This is serious, but it is survivable. Thousands of practices receive these letters every year, and most resolve them without devastating consequences if they respond correctly. Here is exactly what to do.

First: Understand What You Are Holding

OCR sends several types of correspondence, and identifying which one you received matters enormously for your next steps:

• Complaint investigation notification: Someone (usually a patient or employee) filed a complaint with OCR alleging a HIPAA violation at your practice. This is the most common type. OCR investigates every complaint that meets their criteria — receiving one does not mean you have been found guilty of anything.
• Compliance review notification: OCR selected your practice for a proactive compliance review. These are less common and are often triggered by a prior complaint history, a large breach report, or random selection from a compliance audit program.
• Data request letter: OCR is requesting specific documentation about your HIPAA compliance program — policies, training records, risk assessments, or incident reports related to a specific allegation.
• Technical assistance letter: OCR identified a potential compliance issue but is offering guidance rather than pursuing enforcement. This is the best-case scenario.

What to Do in the First 24 Hours

Your immediate response sets the tone for the entire investigation. Here is your checklist for the first day:

1. Read the letter carefully and identify the deadline. OCR typically gives you 30 days to respond, sometimes fewer. Note the exact date and do not miss it — failure to respond is treated as a separate violation.
2. Do not panic-respond. Do not call OCR immediately to explain or apologize. Do not fire anyone. Do not destroy or alter any documents (this is obstruction and turns a manageable situation into a catastrophe).
3. Preserve all evidence. Issue an internal preservation notice. Stop any routine document destruction for records related to the complaint. Back up relevant electronic records.
4. Identify your Privacy and Security Officers. If you do not have them designated, that is a problem you will need to address, but do not fabricate backdated designations.
5. Consider engaging a healthcare compliance attorney. For anything beyond a simple technical assistance letter, legal counsel familiar with HIPAA enforcement is worth the investment. Attorney-client privilege also protects your internal investigation findings.

What OCR Is Looking For

OCR investigations typically request documentation in specific categories. Understanding what they want helps you assess your current position:

• Policies and procedures: Written HIPAA Privacy and Security policies that are current, comprehensive, and specific to your practice — not a generic template you downloaded and never customized.
• Risk assessment: A documented Security Risk Assessment (SRA) is the single most-requested item in OCR investigations. If you do not have one, this is your biggest vulnerability.
• Training records: Documentation proving all workforce members received HIPAA training, including dates, topics covered, and attestation signatures.
• Business Associate Agreements: Executed BAAs with every vendor who accesses PHI on your behalf.
• Incident-specific documentation: If the complaint involves a specific incident, OCR will request your investigation records, breach risk assessment, notification documentation, and any corrective actions taken.

How to Respond to the Letter

Your response should be factual, organized, and thorough without being defensive or volunteering information beyond what was requested:

• Address every specific allegation or data request point by point.
• Provide copies (not originals) of requested documentation.
• If you have gaps — a missing SRA, lapsed training, or absent policies — acknowledge them honestly and describe the corrective actions you are taking now. Attempting to fabricate compliance history will backfire.
• If you need more time, request an extension before the deadline expires. OCR generally grants reasonable extension requests.
• Keep a copy of everything you submit and send your response via a trackable method.

Possible Outcomes

OCR investigations can resolve in several ways, ranging from best to worst case:

1. No violation found: OCR closes the case with no further action. This happens when your documentation demonstrates compliance.
2. Technical assistance provided: OCR identifies minor issues and provides guidance on how to correct them. No penalty, but you are expected to implement the guidance.
3. Resolution agreement with corrective action plan: OCR finds violations but agrees to resolve them through a formal corrective action plan. This may or may not include a monetary settlement depending on the severity.
4. Civil monetary penalty: For serious or willful violations where the practice is uncooperative or the violations are egregious, OCR can impose penalties ranging from $100 to over $2 million per violation category per year.

The Most Important Thing You Can Do Right Now

If this letter exposed the fact that your practice does not have a formal compliance program — no current SRA, no documented policies, no training records — the best time to start was years ago. The second best time is today. OCR looks favorably on practices that demonstrate they are actively building a compliance program, even if they were previously deficient. Document every step you take from this moment forward. Start your risk assessment. Implement policies. Begin staff training. Track everything.

A compliance platform like GuardWell can help you build that documented program quickly — with guided risk assessments, a policy library, training management, and audit preparation tools that create exactly the kind of evidence OCR wants to see. Whether or not you use a platform, the key is to start now and document everything.